Date of Award


Document Type

Thesis - ECU Access Only


Edith Cowan University

Degree Name

Doctor of Philosophy


School of Science

First Supervisor

Associate Professor Trish Williams

Second Supervisor

Ken Fowel


Australia is in the process of adopting a national approach towards the secure electronic exchange of health information. The health information contributions of general practices as the primary point of patient medical care, will be critical to the success of an interoperable national healthcare system. Sharing information creates vulnerabilities by increasing exposure to information security threats. Consequently, improvement in information security practice within general practice may positively contribute towards improved patient care by providing access to timely and accurate information. There is renewed focus within general practice on information security, inter alia the introduction of: the Royal Australian College of General Practitioners (RACGP, 2014) Computer and Information Security Standards (CISS, 2013); privacy law reform in 2014; an evolving national electronic heath record system; litigation relating to information breaches; and continuing Australian public support for mandatory data breach notification legislation.

The implementation of reliable information security procedures within general practices will be critical to secure the exchange of confidential patient information. Protecting patient health information requires appropriate security measures in regards to technologies, policies, and procedures as well as ensuring that staff are well trained and aware of these security activities. Adherence to industry standard security activities will enable general practices to take responsibility for their information security thereby minimising the threat of lost or stolen information. To meet the rising number of information security threats, general practices need to adopt a framework of accountability and control to address and demonstrate effective information security management and governance. The governance component of information security remains insufficiently addressed within Australian general practice at present.

This thesis demonstrates an application of international standards at a strategic level, and proposes a functional process improvement framework against which general practices can assess and implement effective information security governance. This interpretation and operationalisation of international governance of information security standard ISO/IEC 27014:2013 (ISO, 2013), had not previously been undertaken. Further, application of information security governance within the Australian general practice environment had not previously been undertaken, and formed the basis for establishing a positive information security culture.

A qualitative action research methodology was utilised for the collection of national data. Further, iterative action research cycles were applied to develop the practical information security governance framework for use within general practice. Following a review of the literature, a preliminary framework was developed to include industry best practice standards and information security compliance criteria applicable to general practice. This initial governance framework extends the industry security standards developed by the RACGP CISS (2013), ISACA’s COBIT 5 (2012), NEHTA’s NESAF (2012) governance framework and Williams’ TIGS-CMM model (2007c). Information security experts validated the information security governance framework during focus groups and interview data collections, which included representatives from key Australian healthcare organisations.

Following development, the governance framework was applied and tested within general practices during iterative cycles of interviews. General practice participants conducted a self-assessment against the framework, responded to semi-structured interview questions, and policy documentation was analysed. The governance framework was revised following these iterations and cycles of action research. The objective of this research method was to achieve a ‘theoretical saturation’ of the theory whereby the patterns in the general practice interviews indicated when no new information was being yielded (Mason 2010). A final cycle of a general practice interview was conducted to verify the appropriateness of the information security governance framework within Australian general practice.

The contribution of this research was both theoretical and practical. A holistic governance framework and process was synthesised and formulated, which aimed to assist general practices to meet their legal and industry related compliance security responsibilities, by securing information assets in an escalating threat environment. The governance approach was designed to be achievable and sustainable for general practices over time, whilst encouraging incremental improvement in security performance. To address the people aspect of security, the governance process incorporated a risk-based structure for the review of security breaches and performance measures, to assist in making the necessary governance decisions by amending policies and processes, and accessing the required training. This strategic approach extends international and industry best practice of information security governance for use in Australian general practice, with the aim of improving the protection of confidential health information

LCSH Subject Headings

Medical records -- Data processing.

Health services administration -- Data processing.

Medical records -- Access control.

Medical informatics -- Security measures.

Information technology -- Security measures.

Data protection.